From owner-p4-projects Wed Jun 5 12:35:53 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id D46A437B403; Wed, 5 Jun 2002 12:34:35 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id AFFC837B407 for ; Wed, 5 Jun 2002 12:34:33 -0700 (PDT) Received: (from perforce@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g55JYXD45150 for perforce@freebsd.org; Wed, 5 Jun 2002 12:34:33 -0700 (PDT) (envelope-from green@freebsd.org) Date: Wed, 5 Jun 2002 12:34:33 -0700 (PDT) Message-Id: <200206051934.g55JYXD45150@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to green@freebsd.org using -f From: Brian Feldman Subject: PERFORCE change 12404 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=12404 Change 12404 by green@green_laptop_2 on 2002/06/05 12:34:14 Update mac_te to work with reality. Some newer hooks added aren't yet implemented. Affected files ... ... //depot/projects/trustedbsd/mac/sys/modules/Makefile#24 edit ... //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#32 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/modules/Makefile#24 (text+ko) ==== @@ -56,6 +56,7 @@ mac_none \ mac_partition \ mac_seeotheruids \ + mac_te \ mac_test \ md \ mii \ ==== //depot/projects/trustedbsd/mac/sys/security/mac_te/mac_te.c#32 (text+ko) ==== @@ -76,6 +76,10 @@ &mac_te_enabled, 0, "Enforce Type Enforcement policy"); TUNABLE_INT("security.mac.te.enabled", &mac_te_enabled); +static int destroyed_not_inited; +SYSCTL_INT(_security_mac_te, OID_AUTO, destroyed_not_inited, CTLFLAG_RD, + &destroyed_not_inited, 0, "Count of labels destroyed but not inited"); + static int mac_te_debug_checks = 0; SYSCTL_INT(_security_mac_te, OID_AUTO, debug_checks, CTLFLAG_RW, &mac_te_debug_checks, 0, "printf frequently for access checks"); @@ -87,6 +91,11 @@ TUNABLE_INT("security.mac.te.debug_transitions", &mac_te_debug_transitions); +static int labelslot; +#define SLOT(l) ((struct mac_te *)LABEL_TO_SLOT((l), labelslot).l_ptr) + +static MALLOC_DEFINE(M_MACTE, "te label", "MAC/TE labels"); + struct te_rule { struct mac_te tr_subject; struct mac_te tr_object; @@ -161,6 +170,192 @@ static const int te_transition_policy_num = sizeof(te_transition_policy) / sizeof(te_transition_policy[0]); +static struct mac_te * +te_alloc(int how) +{ + + return (malloc(sizeof(struct mac_te), M_MACTE, M_ZERO | how)); +} + +static void +te_free(struct mac_te *tep) +{ + + if (tep != NULL) + free(tep, M_MACTE); + else + atomic_add_int(&destroyed_not_inited, 1); +} + +/* + * Label operations. + */ +static void +mac_te_init_bpfdesc(struct bpf_d *bpf_d, struct label *label) +{ + + SLOT(label) = te_alloc(M_WAITOK); +} + +static void +mac_te_init_devfsdirent(struct devfs_dirent *devfs_dirent, + struct label *label) +{ + + SLOT(label) = te_alloc(M_WAITOK); +} + +static void +mac_te_init_ifnet(struct ifnet *ifnet, struct label *label) +{ + + SLOT(label) = te_alloc(M_WAITOK); +} + +static void +mac_te_init_ipq(struct ipq *ipq, struct label *label) +{ + + SLOT(label) = te_alloc(M_WAITOK); +} + +static int +mac_te_init_mbuf(struct mbuf *mbuf, int how, struct label *label) +{ + + SLOT(label) = te_alloc(how); + if (SLOT(label) == NULL) + return (ENOMEM); + + return (0); +} + +static void +mac_te_init_mount(struct mount *mount, struct label *mntlabel, + struct label *fslabel) +{ + + SLOT(mntlabel) = te_alloc(M_WAITOK); + SLOT(fslabel) = te_alloc(M_WAITOK); +} + +static void +mac_te_init_socket(struct socket *socket, struct label *label, + struct label *peerlabel) +{ + + SLOT(label) = te_alloc(M_WAITOK); + SLOT(peerlabel) = te_alloc(M_WAITOK); +} + +static void +mac_te_init_subject(struct ucred *ucred, struct label *label) +{ + + SLOT(label) = te_alloc(M_WAITOK); +} + +static void +mac_te_init_temp(struct label *label) +{ + + SLOT(label) = te_alloc(M_WAITOK); +} + +static void +mac_te_init_vnode(struct vnode *vp, struct label *label) +{ + + SLOT(label) = te_alloc(M_WAITOK); +} + +static void +mac_te_destroy_bpfdesc(struct bpf_d *bpf_d, struct label *label) +{ + + te_free(SLOT(label)); + SLOT(label) = NULL; +} + +static void +mac_te_destroy_devfsdirent(struct devfs_dirent *devfs_dirent, + struct label *label) +{ + + te_free(SLOT(label)); + SLOT(label) = NULL; +} + +static void +mac_te_destroy_ifnet(struct ifnet *ifnet, struct label *label) +{ + + te_free(SLOT(label)); + SLOT(label) = NULL; +} + +static void +mac_te_destroy_ipq(struct ipq *ipq, struct label *label) +{ + + te_free(SLOT(label)); + SLOT(label) = NULL; +} + +static void +mac_te_destroy_mbuf(struct mbuf *mbuf, struct label *label) +{ + + te_free(SLOT(label)); + SLOT(label) = NULL; +} + +static void +mac_te_destroy_mount(struct mount *mount, struct label *mntlabel, + struct label *fslabel) +{ + + te_free(SLOT(mntlabel)); + SLOT(mntlabel) = NULL; + te_free(SLOT(fslabel)); + SLOT(fslabel) = NULL; +} + +static void +mac_te_destroy_socket(struct socket *socket, struct label *label, + struct label *peerlabel) +{ + + te_free(SLOT(label)); + SLOT(label) = NULL; + te_free(SLOT(peerlabel)); + SLOT(peerlabel) = NULL; +} + +static void +mac_te_destroy_subject(struct ucred *ucred, struct label *label) +{ + + te_free(SLOT(label)); + SLOT(label) = NULL; +} + +static void +mac_te_destroy_temp(struct label *label) +{ + + te_free(SLOT(label)); + SLOT(label) = NULL; +} + +static void +mac_te_destroy_vnode(struct vnode *vp, struct label *label) +{ + + te_free(SLOT(label)); + SLOT(label) = NULL; +} + static const char * mac_te_classop_to_string(int object_class, int operation) { @@ -234,19 +429,19 @@ * Syntactic check of label: 0 for success, else an errno. */ static int -mac_te_label_valid(struct mac *label) +mac_te_label_valid(const struct mac_te *label) { int i; /* Check that it's a properly terminated string. */ for (i = 0; i < MAC_TE_TYPE_MAXLEN + 1; i++) { - if (label->m_te.mt_type[i] == '\0') + if (label->mt_type[i] == '\0') break; } if (i == MAC_TE_TYPE_MAXLEN + 1) return (EINVAL); /* Check that it's a non-nul string. */ - if (strlen(label->m_te.mt_type) == 0) + if (strlen(label->mt_type) == 0) return (EINVAL); else return (0); @@ -267,14 +462,14 @@ } static int -mac_te_equal(struct mac *labela, struct mac *labelb) +mac_te_equal(struct label *labela, struct label *labelb) { - return (mac_te_label_equal(&labela->m_te, &labelb->m_te)); + return (mac_te_label_equal(SLOT(labela), SLOT(labelb))); } static int -mac_te_check(struct mac *subject, struct mac *object, int object_class, +mac_te_check(struct mac_te *subject, struct mac_te *object, int object_class, int operation) { int match; @@ -293,42 +488,42 @@ te_policy[rule].tr_operation == MAC_TE_OPERATION_ANY)); match = (match && mac_te_label_equal(&te_policy[rule].tr_subject, - &subject->m_te)); + subject)); match = (match && mac_te_label_equal(&te_policy[rule].tr_object, - &object->m_te)); + object)); if (match) { if (mac_te_debug_checks) printf("%s %s %s success\n", - subject->m_te.mt_type, + subject->mt_type, mac_te_classop_to_string(object_class, - operation), object->m_te.mt_type); + operation), object->mt_type); return (0); } } if (mac_te_debug_checks) - printf("%s %s %s fail\n", subject->m_te.mt_type, + printf("%s %s %s fail\n", subject->mt_type, mac_te_classop_to_string(object_class, operation), - object->m_te.mt_type); + object->mt_type); return (EACCES); } static void -mac_te_init_label_as(struct mac *label, char *type) +mac_te_init_label_as(struct mac_te *telabel, char *type) { - bzero(&label->m_te.mt_type, MAC_TE_TYPE_MAXLEN+1); - strncpy(label->m_te.mt_type, type, MAC_TE_TYPE_MAXLEN); + bzero(&telabel->mt_type, MAC_TE_TYPE_MAXLEN+1); + strncpy(telabel->mt_type, type, MAC_TE_TYPE_MAXLEN); } static void -mac_te_init_label(struct mac *label) +mac_te_init_label(struct mac_te *telabel) { - mac_te_init_label_as(label, MAC_TE_TYPE_UNINITIALIZED); + mac_te_init_label_as(telabel, MAC_TE_TYPE_UNINITIALIZED); } static void @@ -340,42 +535,39 @@ } static void -mac_te_copy_label(struct mac *labelfrom, struct mac *labelto) +mac_te_copy_label(struct mac_te *tefrom, struct mac_te *teto) { - mac_te_copy_label_teonly(&labelfrom->m_te, &labelto->m_te); + mac_te_copy_label_teonly(tefrom, teto); } static void mac_te_create_proc0(struct ucred *cred) { - mac_te_init_label_as(&cred->cr_label, MAC_TE_TYPE_KPROC); + mac_te_init_label_as(SLOT(&cred->cr_label), MAC_TE_TYPE_KPROC); } static void mac_te_create_proc1(struct ucred *cred) { - mac_te_init_label_as(&cred->cr_label, MAC_TE_TYPE_INIT); + mac_te_init_label_as(SLOT(&cred->cr_label), MAC_TE_TYPE_INIT); } static void mac_te_create_subject(struct ucred *cred_parent, struct ucred *cred_child) { - mac_te_copy_label(&cred_parent->cr_label, &cred_child->cr_label); + mac_te_copy_label(SLOT(&cred_parent->cr_label), + SLOT(&cred_child->cr_label)); } static int -mac_te_cred_check_relabel_subject(struct ucred *cred, struct mac *newlabel) +mac_te_cred_check_relabel_subject(struct ucred *cred, struct label *newlabel) { int error, privilege_needed; - error = mac_te_label_valid(newlabel); - if (error) - return (error); - /* Allow no-op updates without privilege. */ privilege_needed = 0; if (!mac_te_equal(&cred->cr_label, newlabel)) @@ -392,14 +584,10 @@ static int mac_te_cred_check_relabel_vnode(struct ucred *cred, struct vnode *vp, - struct mac *oldlabel, struct mac *newlabel) + struct label *oldlabel, struct label *newlabel) { int error, privilege_needed; - error = mac_te_label_valid(newlabel); - if (error) - return (error); - /* Allow no-op updates without privilege. */ privilege_needed = 0; if (!mac_te_equal(&cred->cr_label, newlabel)) @@ -415,14 +603,15 @@ } static void -mac_te_relabel_subject(struct ucred *cred, struct mac *newlabel) +mac_te_relabel_subject(struct ucred *cred, struct label *newlabel) { - mac_te_copy_label(newlabel, &cred->cr_label); + mac_te_copy_label(SLOT(newlabel), SLOT(&cred->cr_label)); } static int -mac_te_ifnet_check_send_mbuf(struct ifnet *ifnet, struct mbuf *m) +mac_te_ifnet_check_send_mbuf(struct ifnet *ifnet, struct label *ifnetlabel, + struct mbuf *m, struct label *mbuflabel) { /* @@ -430,45 +619,41 @@ * mbuf as an object. Since sockets are objects, this is * probably wrong. */ - return (mac_te_check(&ifnet->if_label, &m->m_pkthdr.label, + return (mac_te_check(SLOT(ifnetlabel), SLOT(mbuflabel), MAC_TE_CLASS_MBUF, MAC_TE_OPERATION_MBUF_SEND)); } static int mac_te_cred_check_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, - struct mac *newlabel) + struct label *newlabel) { - int error; - - error = mac_te_label_valid(newlabel); - if (error) - return (error); return (suser_cred(cred, 0)); } static void mac_te_relabel_ifnet(struct ucred *cred, struct ifnet *ifnet, - struct mac *newlabel) + struct label *ifnetlabel, struct label *newlabel) { - mac_te_copy_label(newlabel, &ifnet->if_label); + mac_te_copy_label(SLOT(newlabel), SLOT(ifnetlabel)); } static int mac_te_bpfdesc_check_receive_from_ifnet(struct bpf_d *bpf_d, - struct ifnet *ifnet) + struct label *bpflabel, struct ifnet *ifnet, struct label *ifnetlabel) { if (!mac_te_enabled) return (0); - return (mac_te_check(&bpf_d->bd_label, &ifnet->if_label, + return (mac_te_check(SLOT(bpflabel), SLOT(ifnetlabel), MAC_TE_CLASS_BPF, MAC_TE_OPERATION_BPF_RECEIVE)); } static int -mac_te_socket_check_receive_mbuf(struct socket *so, struct mbuf *m) +mac_te_socket_check_receive_mbuf(struct socket *so, struct label *socketlabel, + struct mbuf *m, struct label *mbuflabel) { /* @@ -476,180 +661,185 @@ * mbuf as an object. Since sockets are objects, this is * probably wrong. */ - return (mac_te_check(&so->so_label, &m->m_pkthdr.label, + return (mac_te_check(SLOT(socketlabel), SLOT(mbuflabel), MAC_TE_CLASS_MBUF, MAC_TE_OPERATION_MBUF_RECEIVE)); } static void -mac_te_create_ifnet(struct ifnet *ifnet) +mac_te_create_ifnet(struct ifnet *ifnet, struct label *ifnetlabel) { if (ifnet->if_type == IFT_LOOP) { - mac_te_init_label_as(&ifnet->if_label, MAC_TE_TYPE_EQUAL); + mac_te_init_label_as(SLOT(ifnetlabel), MAC_TE_TYPE_EQUAL); } else { - mac_te_init_label(&ifnet->if_label); + mac_te_init_label(SLOT(ifnetlabel)); } } static void -mac_te_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d) +mac_te_create_bpfdesc(struct ucred *cred, struct bpf_d *bpf_d, + struct label *bdlabel) { - mac_te_copy_label(&cred->cr_label, &bpf_d->bd_label); + mac_te_copy_label(SLOT(&cred->cr_label), SLOT(bdlabel)); } static void -mac_te_create_object(struct ucred *cred, struct mac *label) +mac_te_create_object(struct ucred *cred, struct label *label) { - mac_te_copy_label(&cred->cr_label, label); + mac_te_copy_label(SLOT(&cred->cr_label), SLOT(label)); } static void -mac_te_create_object_from_object(struct mac *oldlabel, struct mac *newlabel) +mac_te_create_object_from_object(struct label *oldlabel, struct label *newlabel) { - mac_te_copy_label(oldlabel, newlabel); + mac_te_copy_label(SLOT(oldlabel), SLOT(newlabel)); } static void -mac_te_create_mbuf_datagram_from_mbuf_fragmentqueue(struct mbuf *fragmentqueue, - struct mbuf *datagram) +mac_te_create_datagram_from_ipq(struct mbuf *ipq, struct label *ipqlabel, + struct mbuf *datagram, struct label *datagramlabel) { - mac_te_copy_label(&fragmentqueue->m_pkthdr.label, - &datagram->m_pkthdr.label); + mac_te_copy_label(SLOT(ipqlabel), SLOT(datagramlabel)); } static void -mac_te_create_mbuf_fragment_from_mbuf(struct mbuf *mbuf, struct mbuf *fragment) +mac_te_create_fragment_from_datagram(struct mbuf *datagram, + struct label *datagramlabel, struct mbuf *fragment, + struct label *fragmentlabel) { - mac_te_init_label(&fragment->m_pkthdr.label); - mac_te_copy_label(&mbuf->m_pkthdr.label, &fragment->m_pkthdr.label); + mac_te_init_label(SLOT(fragmentlabel)); + mac_te_copy_label(SLOT(datagramlabel), SLOT(fragmentlabel)); } static void -mac_te_create_mbuf_fragmentqueue_from_mbuf_fragment(struct mbuf *fragment, - struct mbuf *fragmentqueue) +mac_te_create_ipq_from_fragment(struct mbuf *fragment, + struct label *fragmentlabel, struct mbuf *ipq, struct label *ipqlabel) { - mac_te_copy_label(&fragment->m_pkthdr.label, - &fragmentqueue->m_pkthdr.label); + mac_te_copy_label(SLOT(fragmentlabel), SLOT(ipqlabel)); } static void -mac_te_create_mbuf_from_mbuf(struct mbuf *oldmbuf, struct mbuf *newmbuf) +mac_te_create_mbuf_from_mbuf(struct mbuf *oldmbuf, + struct label *oldmbuflabel, struct mbuf *newmbuf, + struct label *newmbuflabel) { - mac_te_copy_label(&oldmbuf->m_pkthdr.label, &newmbuf->m_pkthdr.label); + mac_te_copy_label(SLOT(oldmbuflabel), SLOT(newmbuflabel)); } static void -mac_te_create_mbuf_linklayer_for_ifnet(struct ifnet *ifnet, struct mbuf *mbuf) +mac_te_create_mbuf_linklayer_for_ifnet(struct ifnet *ifnet, + struct label *iflabel, struct mbuf *mbuf, struct label *mblabel) { - mac_te_init_label_as(&mbuf->m_pkthdr.label, MAC_TE_TYPE_EQUAL); + mac_te_init_label_as(SLOT(mblabel), MAC_TE_TYPE_EQUAL); } static void -mac_te_create_mbuf_from_ifnet(struct ifnet *ifnet, struct mbuf *m) +mac_te_create_mbuf_from_ifnet(struct ifnet *ifnet, struct label *iflabel, + struct mbuf *m, struct label *mlabel) { - mac_te_copy_label(&ifnet->if_label, &m->m_pkthdr.label); + mac_te_copy_label(SLOT(iflabel), SLOT(mlabel)); } static void mac_te_create_mbuf_multicast_encap_from_mbuf(struct mbuf *oldmbuf, - struct ifnet *ifnet, struct mbuf *newmbuf) + struct label *oldmblabel, struct ifnet *ifnet, struct label *iflabel, + struct mbuf *newmbuf, struct label *nmblabel) { - mac_te_copy_label(&oldmbuf->m_pkthdr.label, &newmbuf->m_pkthdr.label); + mac_te_copy_label(SLOT(oldmblabel), SLOT(nmblabel)); } static void mac_te_create_mbuf_netlayer_from_mbuf(struct mbuf *oldmbuf, - struct mbuf *newmbuf) + struct label *oldmblabel, struct mbuf *newmbuf, struct label *nmblabel) { - mac_te_copy_label(&oldmbuf->m_pkthdr.label, &newmbuf->m_pkthdr.label); + mac_te_copy_label(SLOT(oldmblabel), SLOT(nmblabel)); } static int -mac_te_mbuf_fragment_matches_mbuf_fragmentqueue(struct mbuf *fragment, - struct mbuf *fragmentqueue) +mac_te_fragment_matches_ipq(struct mbuf *fragment, + struct label *fragmentlabel, struct ipq *ipq, struct label *ipqlabel) { - return (mac_te_equal(&fragment->m_pkthdr.label, - &fragmentqueue->m_pkthdr.label)); + return (mac_te_equal(fragmentlabel, ipqlabel)); } static void -mac_te_create_mbuf_from_socket(struct socket *so, struct mbuf *m) +mac_te_create_mbuf_from_socket(struct socket *so, struct label *solabel, + struct mbuf *m, struct label *mlabel) { - mac_te_copy_label(&so->so_label, &m->m_pkthdr.label); + mac_te_copy_label(SLOT(solabel), SLOT(mlabel)); } static void -mac_te_create_socket(struct ucred *cred, struct socket *socket) +mac_te_create_socket(struct ucred *cred, struct socket *socket, + struct label *solabel) { - mac_te_create_object(cred, &socket->so_label); + mac_te_create_object(cred, solabel); mac_te_create_object(cred, &socket->so_peerlabel); } static void mac_te_create_socket_from_socket(struct socket *oldsocket, - struct socket *newsocket) + struct label *oldlabel, struct socket *newsocket, struct label *newlabel) { - mac_te_create_object_from_object(&oldsocket->so_label, - &newsocket->so_label); + mac_te_create_object_from_object(oldlabel, newlabel); mac_te_create_object_from_object(&oldsocket->so_peerlabel, &newsocket->so_peerlabel); } static void mac_te_relabel_socket(struct ucred *cred, struct socket *socket, - struct mac *newlabel) + struct label *oldlabel, struct label *newlabel) { - mac_te_copy_label(newlabel, &socket->so_label); + mac_te_copy_label(SLOT(newlabel), SLOT(oldlabel)); } static void -mac_te_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct socket *socket) +mac_te_set_socket_peer_from_mbuf(struct mbuf *mbuf, struct label *mlabel, + struct socket *socket, struct label *sopeerlabel) { - mac_te_copy_label(&mbuf->m_pkthdr.label, &socket->so_peerlabel); + mac_te_copy_label(SLOT(mlabel), SLOT(sopeerlabel)); } static void mac_te_set_socket_peer_from_socket(struct socket *oldsocket, - struct socket *newsocket) + struct label *oldlabel, struct socket *newsocket, + struct label *newpeerlabel) { - mac_te_copy_label(&oldsocket->so_label, &newsocket->so_peerlabel); + mac_te_copy_label(SLOT(oldlabel), SLOT(newpeerlabel)); } static void -mac_te_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct mbuf *mbuf) +mac_te_create_mbuf_from_bpfdesc(struct bpf_d *bpf_d, struct label *bdlabel, + struct mbuf *mbuf, struct label *mblabel) { - mac_te_copy_label(&bpf_d->bd_label, &mbuf->m_pkthdr.label); + mac_te_copy_label(SLOT(bdlabel), SLOT(mblabel)); } static int mac_te_cred_check_relabel_socket(struct ucred *cred, struct socket *socket, - struct mac *newlabel) + struct label *newlabel) { int error; - error = mac_te_label_valid(newlabel); - if (error) - return (error); - error = suser_cred(cred, 0); if (error) return (error); @@ -659,39 +849,45 @@ static void mac_te_create_mount(struct ucred *cred, struct mount *mp, - struct mac *mntlabel, struct mac *fslabel) + struct label *mntlabel, struct label *fslabel) { /* mac_te_create_object(cred, label); */ - mac_te_init_label_as(mntlabel, MAC_TE_TYPE_FS); - mac_te_init_label_as(fslabel, MAC_TE_TYPE_FS); + mac_te_init_label_as(SLOT(mntlabel), MAC_TE_TYPE_FS); + mac_te_init_label_as(SLOT(fslabel), MAC_TE_TYPE_FS); } static void mac_te_create_root_mount(struct ucred *cred, struct mount *mp, - struct mac *mntlabel, struct mac *fslabel) + struct label *mntlabel, struct label *fslabel) { - mac_te_init_label_as(mntlabel, MAC_TE_TYPE_ROOTFS); - mac_te_init_label_as(fslabel, MAC_TE_TYPE_FS); + mac_te_init_label_as(SLOT(mntlabel), MAC_TE_TYPE_ROOTFS); + mac_te_init_label_as(SLOT(fslabel), MAC_TE_TYPE_FS); } -static void -mac_te_print_label(struct mac *label) +static int +mac_te_internalize(struct label *label, const struct mac *extlabel) { + int error; - printf("Type Enforcement: type==%s\n", label->m_te.mt_type); + error = mac_te_label_valid(&extlabel->m_te); + if (error == 0) + *SLOT(label) = extlabel->m_te; + return (error); } static int -mac_te_validate_label(struct mac *label) +mac_te_externalize(struct label *label, struct mac *extlabel) { - return (mac_te_label_valid(label)); + extlabel->m_te = *SLOT(label); + return (0); } static void -mac_te_create_devfs_device(dev_t dev, struct mac *devicelabel) +mac_te_create_devfs_device(dev_t dev, struct devfs_dirent *de, + struct label *devicelabel) { char *te_type; @@ -706,20 +902,20 @@ else te_type = MAC_TE_TYPE_DEVICE; - mac_te_init_label_as(devicelabel, te_type); + mac_te_init_label_as(SLOT(devicelabel), te_type); } static void mac_te_create_devfs_directory(char *dirname, int dirnamelen, - struct mac *dirlabel) + struct devfs_dirent *de, struct label *dirlabel) { - mac_te_init_label_as(dirlabel, MAC_TE_TYPE_FS); + mac_te_init_label_as(SLOT(dirlabel), MAC_TE_TYPE_FS); } static void mac_te_create_vnode_from_vnode(struct ucred *cred, struct vnode *parent, - struct mac *parentlabel, struct vnode *child, struct mac *childlabel) + struct label *parentlabel, struct vnode *child, struct label *childlabel) { mac_te_create_object(cred, childlabel); @@ -727,11 +923,14 @@ static int mac_te_cred_check_open_vnode(struct ucred *cred, struct vnode *vp, - struct mac *filelabel, mode_t acc_mode) + struct label *filelabel, mode_t acc_mode) { + struct mac_te *subj, *obj; int object_class, operation; int error; + subj = SLOT(&cred->cr_label); + obj = SLOT(filelabel); /* * Treat all vnode types as files, for the time being, except * for directories. @@ -754,8 +953,7 @@ default: panic("mac_te_vaccess: invalid object_class"); } - error = mac_te_check(&cred->cr_label, filelabel, object_class, - operation); + error = mac_te_check(subj, obj, object_class, operation); if (error) return (error); } @@ -770,8 +968,7 @@ default: panic("mac_te_vaccess: invalid object_class"); } - error = mac_te_check(&cred->cr_label, filelabel, object_class, - operation); + error = mac_te_check(subj, obj, object_class, operation); if (error) return (error); } @@ -786,8 +983,7 @@ default: panic("mac_te_vaccess: invalid object_class"); } - error = mac_te_check(&cred->cr_label, filelabel, object_class, - operation); + error = mac_te_check(subj, obj, object_class, operation); if (error) return (error); } @@ -798,15 +994,16 @@ mac_te_cred_check_see_cred(struct ucred *u1, struct ucred *u2) { - return (mac_te_check(&u1->cr_label, &u2->cr_label, MAC_TE_CLASS_PROC, - MAC_TE_OPERATION_PROC_SEE)); + return (mac_te_check(SLOT(&u1->cr_label), SLOT(&u2->cr_label), + MAC_TE_CLASS_PROC, MAC_TE_OPERATION_PROC_SEE)); } static int -mac_te_cred_check_see_socket(struct ucred *cred, struct socket *socket) +mac_te_cred_check_see_socket(struct ucred *cred, struct socket *socket, + struct label *socketlabel) { - return (mac_te_check(&cred->cr_label, &socket->so_label, + return (mac_te_check(SLOT(&cred->cr_label), SLOT(socketlabel), MAC_TE_CLASS_SOCKET, MAC_TE_OPERATION_SOCKET_SEE)); } @@ -814,207 +1011,195 @@ mac_te_cred_check_signal_proc(struct ucred *cred, struct proc *proc, int signum) { - return (mac_te_check(&cred->cr_label, &proc->p_ucred->cr_label, - MAC_TE_CLASS_PROC, MAC_TE_OPERATION_PROC_SIGNAL)); + return (mac_te_check(SLOT(&cred->cr_label), + SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC, + MAC_TE_OPERATION_PROC_SIGNAL)); } static int mac_te_cred_check_sched_proc(struct ucred *cred, struct proc *proc) { - return (mac_te_check(&cred->cr_label, &proc->p_ucred->cr_label, - MAC_TE_CLASS_PROC, MAC_TE_OPERATION_PROC_SCHED)); + return (mac_te_check(SLOT(&cred->cr_label), + SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC, + MAC_TE_OPERATION_PROC_SCHED)); } static int mac_te_cred_check_debug_proc(struct ucred *cred, struct proc *proc) { - return (mac_te_check(&cred->cr_label, &proc->p_ucred->cr_label, - MAC_TE_CLASS_PROC, MAC_TE_OPERATION_PROC_DEBUG)); + return (mac_te_check(SLOT(&cred->cr_label), + SLOT(&proc->p_ucred->cr_label), MAC_TE_CLASS_PROC, + MAC_TE_OPERATION_PROC_DEBUG)); } static int mac_te_cred_check_exec_vnode(struct ucred *cred, struct vnode *vp, - struct mac *label) + struct label *label) { - return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, - MAC_TE_OPERATION_FILE_EXEC)); + return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_EXEC)); } static int mac_te_cred_check_getextattr_vnode(struct ucred *cred, struct vnode *vp, - struct mac *label, int attrnamespace, const char *name, struct uio *uio) + struct label *label, int attrnamespace, const char *name, struct uio *uio) { switch (vp->v_type) { case VDIR: - return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, - MAC_TE_OPERATION_DIR_GETEXTATTR)); + return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + MAC_TE_CLASS_FILE, MAC_TE_OPERATION_DIR_GETEXTATTR)); default: - return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, - MAC_TE_OPERATION_FILE_GETEXTATTR)); + return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_GETEXTATTR)); } } static int -mac_te_cred_check_getextattr_vnode(struct ucred *cred, struct vnode *vp, - struct mac *label, int attrnamespace, const char *name, struct uio *uio) -{ - - switch (vp->v_type) { - case VDIR: - return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, - MAC_TE_OPERATION_DIR_GETEXTATTR)); - default: - return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, - MAC_TE_OPERATION_FILE_GETEXTATTR)); - } -} - -static int mac_te_cred_check_revoke_vnode(struct ucred *cred, struct vnode *vp, - struct mac *label) + struct label *label) { - return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, - MAC_TE_OPERATION_FILE_ADMIN)); + return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_ADMIN)); } static int mac_te_cred_check_search_vnode(struct ucred *cred, struct vnode *dvp, - struct mac *dlabel) + struct label *dlabel) { - return (mac_te_check(&cred->cr_label, dlabel, MAC_TE_CLASS_DIR, - MAC_TE_OPERATION_DIR_LOOKUP)); + return (mac_te_check(SLOT(&cred->cr_label), SLOT(dlabel), + MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_LOOKUP)); } static int mac_te_cred_check_setextattr_vnode(struct ucred *cred, struct vnode *vp, - struct mac *label, int attrnamespace, const char *name, struct uio *uio) + struct label *label, int attrnamespace, const char *name, struct uio *uio) { switch (vp->v_type) { case VDIR: - return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR, - MAC_TE_OPERATION_DIR_SETEXTATTR)); + return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + MAC_TE_CLASS_DIR, MAC_TE_OPERATION_DIR_SETEXTATTR)); default: - return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_FILE, - MAC_TE_OPERATION_FILE_SETEXTATTR)); + return (mac_te_check(SLOT(&cred->cr_label), SLOT(label), + MAC_TE_CLASS_FILE, MAC_TE_OPERATION_FILE_SETEXTATTR)); } } static int mac_te_cred_check_setflags_vnode(struct ucred *cred, struct vnode *vp, - struct mac *label, u_long flags) + struct label *label, u_long flags) { switch (vp->v_type) { case VDIR: - return (mac_te_check(&cred->cr_label, label, MAC_TE_CLASS_DIR, - MAC_TE_OPERATION_DIR_ADMIN)); >>> TRUNCATED FOR MAIL (1000 lines) <<< To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message